Hi All,
I have almost addressed all security recommendation from a single powershell script but i'm stuck with below two settings.
Disable managed object browser needs vim-cmd command and while password policy needs to edit etc./pam.d/passwd
I was wondering is there way I can implemented above two settings using powercli.
it means I run single powercli script and then script hardens entire ESXi box.
Thanks,
Preetam
Afaik there is no PowerCLI cmdlet nor a vSphere method to do that.
Blog: lucd.info Twitter: @LucD22 Co-author PowerCLI Reference
For 2), see William's post called Using vCLI’s vifs For More Than Just Datastore File Management.
If you can, and are willing to, update the /etc/vmware/hostd/webAccessibleConfigFiles.xml file to include the pam file, you could use that method to access the file.
Blog: lucd.info Twitter: @LucD22 Co-author PowerCLI Reference
For 1), with a SSH connection, for example through plink.exe, you can run the vim-cmd command, as mentioned in KB1016039, to disable the MOB.
Blog: lucd.info Twitter: @LucD22 Co-author PowerCLI Reference
But then again I have to use vCLI which means one using more than one script.
Unless there is way we can achieve same thing using powercli which I'm not aware of
Message was edited by: Preetam Zare
Mind sharing your script for the hardening? I was planning on getting around to doing the same thing but haven't done it yet.
Afaik there is no PowerCLI cmdlet nor a vSphere method to do that.
Blog: lucd.info Twitter: @LucD22 Co-author PowerCLI Reference
Somewhat related to this. I posted the link below in the ESXi 5.0 board, because I could not get the password complexity to work correctly.
Basically,
I would like to set the password complexity for the new accounts on my ESXi 5.0 (update 2) host to be a minimum of 14 characters, and have at least 1 of each of the following: 1 upper case char, 1 digit, 1 lowercase char, 1 special char and no dictionary words (passphrases).
I updated the /etc/pam.d/passwd file to look like the following (changed the default min=8,8,8,7,6)
password requisite /lib/security/$ISA/pam_passwdqc.so retry=3 min=disabled,disabled,disabled,disabled,14
I then go up to the VI Client and try to create a user on the host with this new complexity and it will only accept a password with a minimum of 30 characters
I would be curious to hear if your settings worked for you.
Original Post:
Hi Luc,
I was able to do this using plink.exe and sed command.
So my script is ready and under final testing.
Thanks for your assistance.
lakey81 I will definitely share the script, please allow me sometime.
MCioe: Please refer KB: if you've not done so. I might help.
TechStarts,
I have looked at that KB and it does not have any additional insight for me. I want to set the password complexity to the following:
minimum of 14 characters,
at least one upper case char,
at least one lowercase char,
at least one numeric char,
at least on special char,
no dictionary words and
at least 4 chars changed between old and new password.
My understanding is that I can update /etc/pam.d/passwd to have this line to accomplish that, but it does not work
password requisite /lib/security/$ISA/pam_passwdqc.so retry=3 min=disabled,disabled,disabled,disabled,14
When I create a user/password in the VIClient with that complexity, I have to create a password with a minimum of 30 chars.
Am I missing something?
Hi Checkout my mobdisabler script on github. hope it helps.
vmware/MOBdisabler1.1 at master · gajuambi/vmware · GitHub
yes true but i found that to be a little lengthy (takes more time) instead you can create a shell script on the host, run the script delete the script via plink+powershell.
vmware/MOBdisabler1.1 at master · gajuambi/vmware · GitHub
Hi ,
You can use my method to disable the mob
vmware/MOBdisabler1.1 at master · gajuambi/vmware · GitHub
That will disable mob by creating a shell script inside the host and to it.
or
use the following simple method
https://github.com/gajuambi/vmware/blob/master/WINtoESXi
where you have to replace the command1 with whatever command that you want which in this case will be
from
C:\plink.exe -ssh -v -noagent $VMHost -l $user -pw $pass 'command1'
to
C:\plink.exe -ssh -v -noagent $VMHost -l $user -pw $pass 'vim-cmd proxysvc/remove_service "/mob" "httpsWithRedirect"'
I use atleast 1 of these 2 methods everyday